May 29

By Gary O’Neall at Source Auditor

Over the past 3 years, I have been contributing to an initiative to standardizing the way open source software information is stored and transmitted between companies.

The SPDX standard is now reasonably stable and implemented in a number of open source and commercial tools making it relatively straightforward to implement.

There are two scenarios you might find yourself in:

  • Supplier – organizations providing software either directly or embedded in devices.  Suppliers are typically requested to provide an inventory of open source (sometimes referred to as a Software Bill of Materials).  SPDX provides a well defined, standard format for providing the information.
  • Consumer – organizations receiving software from other organizations.  Since the consumers must adhere to the license obligations, receiving information from the suppliers in a standardized SPDX format can help quickly identify the licenses and obligations associated with the supplied source.

Adopting SPDX as a Supplier

As a supplier, the first step is to understand the software you are providing.  If you have organizations providing software to you, see if your suppliers can provide information in the SPDX format (see Adopting SPDX as a Consumer below).

Within your development process, begin tracking the required information for the production of an SPDX document.  You can track this information in a tool that supports SPDX (such as the Source Auditor scanning tools).  You can also track this information in a spreadsheet that is formatted for the open source SPDX translator tools (see http://spdx.org/tools/spdx/spreadsheet-template-0).

If you have not already done so, you should scan your software to create an initial baseline.  Be sure to choose a tool that support output in the SPDX format.

If you already have tools and processes to manage your open source tracking, you should consider incorporating SDPX extensions to those tools.  Even if the tools are built in house, there are open source libraries that can help.  The SPDX tools available at http://spdx.org/tools are all built on a common Java library provided by Source Auditor under the Apache 2.0 license which is available at http://git.spdx.org/.  Source Auditor provides consulting services if you would like help adopting SPDX within your existing tools and process.

Adopting SPDX as a Consumer

The first step in adopting SPDX is to obtaining SPDX from your suppliers.  There are two formats which are supported:

  • Tag/Value – a text file based format which is easily readable and preferred by members of the Linux community
  • RDF/XML – a format used by web enabled application which provides a very precise description of the software using a common vocabulary defined by IETF.  Although this format is human readable, you may want to run it through a viewer (such as the open source SPDX View application found at http://spdx.org/tools/spdx/spdx-viewer).

To translate the SPDX into something a bit more manageable, consider using the SPDX Spreadsheet Translator downloadable from http://spdx.org/tools/spdx/rdf-to-spreadsheet.

If you have existing tools, check if these tools already support (or plan to support) SPDX.  If the tools are built in-house, you can use the open source SPDX libraries to implement SPDX.

Future Directions of SPDX

The current SPDX specification is version 1.1.  It provides a good mechanism for describing files and packages along with their associated licenses.

The SPDX organization is very active in listening to the user community and incorporating changes to increase the usefulness and decrease the effort in implementing the standard.

The 2.0 spec is currently being developed and includes several useful extensions:

  • Description of embedded open source packages – although you can describe an embedded package in 1.1 as a “file” with a license, 2.0 will support a hierarchy of SPDX documents
  • Description of the intended use of a file – Some files are intended as tools or optional components.  The 2.0 spec will support a large number of possible file uses to enable the consumer to better determine if a particular file will be distributed.
  • Better verification – Support for some form of digital signatures is being discussed as a mechanism for verify the originator of SPDX documents

More Information

More information for SPDX can be found at http://spdx.org.  Participation is welcome – there are 3 different sub-teams that meet regularly:

You can also contact me at gary@sourceauditor.com.


leave a reply